SeLinux Samba Problem on FC4

[starfish]

FYI.

I was having a problem with Samba on fedora core 4 running SE Linux. I couldn't map the home directories, and kept getting the following syslog message:

Code:

Oct 18 01:07:50 zippy smbd[2748]:   .Unable to open passdb database. 
Oct 18 01:07:50 zippy smbd[2748]: [2005/10/18 01:07:50, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(279) 
Oct 18 01:07:50 zippy smbd[2748]:   startsmbfilepwent_internal: failed to set 0600 permissions on password file /etc/samba/smbpasswd. Error was Permission denied 
Oct 18 01:07:50 zippy smbd[2748]:   .Unable to open passdb database. 
Oct 18 01:08:13 zippy nmbd[2720]: [2005/10/18 01:08:13, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)

Code:

# touch /.autorelabel ; init 6

Then I started to get these errors:

Code:

Oct 17 22:27:58 zippy smbd[2975]:   '/data/mydocs' does not exist or is not a directory, when connecting to [mydocs] 
Oct 17 22:29:40 zippy smbd[2975]: [2005/10/17 22:29:40, 0] smbd/service.c:make_connection_snum(615) 
Oct 17 22:29:40 zippy smbd[2975]:   '/data/mydocs' does not exist or is not a directory, when connecting to [mydocs]

This is my smb.conf configuration

Code:

# Global parameters
[global]
   workgroup = MYGROUP
        server string = Samba Server
        log file = /var/log/samba/%m.log
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = /etc/printcap
        dns proxy = No
        ldap ssl = no
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
        cups options = raw

        security = user
        template shell = /bin/false
        winbind use default domain = no
        obey pam restrictions = yes
        guest ok = no
        unix password sync = yes
        pam password change = yes

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

[mydocs]
        path = /data/mydocs
        valid users = mydocs
        public = no
        writable = yes
        printable = no

The thread http://www.linuxquestions.org/questi...hreadid=335899 gives the following solutions, but it doesn't work on home directories that are on a partition other than /home.

Solution 1 (temporary; won't survive a re-boot):

Issue the command:

[root]# setsebool samba_enable_home_dirs=1

Solution 2 (might survive a reboot; I didn't actually try this one):

[root]# setsebool -P samba_enable_home_dirs=1

Solution 3 (survives a reboot):

This is the solution I ultimately settled on. Go to the /etc/selinux/targeted directory. Create a text file called booleans.local, and put the "samba_enable_home_dirs=1" line in it (without the quotes, of course).

Solution 4 (surives a reboot, but removes all SELinux protection):

Edit /etc/selinux/config. Change the line SELINUX=enforcing to SELINUX=permissive or SELINUX=disabled.

I tried solution #3. (I don't want to jeopardize my SELinux on a wireless network)

I looked at the context of the / directory and saw that the contexts of /data and /home were different.

Code:

[root@zippy tmp]# ls -alZ /
drwxr-xr-x  root     root     system_u:object_r:root_t         .
drwxr-xr-x  root     root     system_u:object_r:root_t         ..
-rw-r--r--  root     root     system_u:object_r:etc_runtime_t  .autofsck
drwxr-xr-x  root     root     system_u:object_r:bin_t          bin
drwxr-xr-x  root     root     system_u:object_r:boot_t         boot
drwxr-xr-x  root     root     system_u:object_r:default_t      data
drwxr-xr-x  root     root     system_u:object_r:device_t       dev
drwxr-xr-x  root     root     system_u:object_r:etc_t          etc
drwxr-xr-x  root     root     system_u:object_r:home_root_t    home
drwxr-xr-x  root     root     system_u:object_r:lib_t          lib
drwx------  root     root     system_u:object_r:lost_found_t   lost+found
drwxr-xr-x  root     root     system_u:object_r:mnt_t          media
drwxr-xr-x  root     root                                      misc
drwxr-xr-x  root     root     system_u:object_r:mnt_t          mnt
drwxr-xr-x  root     root                                      net
drwxr-xr-x  root     root     system_u:object_r:usr_t          opt
dr-xr-xr-x  root     root                                      proc
drwxr-x---  root     root     root:object_r:user_home_dir_t    root
drwxr-xr-x  root     root     system_u:object_r:sbin_t         sbin
drwxr-xr-x  root     root                                      selinux
drwxr-xr-x  root     root     system_u:object_r:var_t          srv
drwxr-xr-x  root     root                                      sys
drwxrwxrwt  root     root     system_u:object_r:tmp_t          tmp
drwxr-xr-x  root     root     system_u:object_r:usr_t          usr
drwxr-xr-x  root     root     system_u:object_r:var_t          var
[root@zippy tmp]#

So I just changed /data to match the context of /home and it works just fine. Hooray!

Code:

[root@zippy tmp]# chcon -t home_root_t /data/{/code]

[/code]

[scribbles]

I tried this myself and it worked perfectly! I really didn't want to disable selinux either. Thanks starfish.